What is a remote block list?

A remote block list is a list of known or suspected IP addresses considered sources of spam. Remote block lists work as spam-fighting tools, safeguarding inboxes from unwanted emails.

Understanding remote block lists

To prevent spam emails from cluttering inboxes, email services use various methods to confirm if an email is wanted and legitimate for its intended recipient. An example of such a tool is a remote block list (RBL). The RBL catalogs suspected IP addresses identified as sources for sending unsolicited emails. Different categories comprise both domain-based blocklists and IP-based blocklists.

According to Embroker, a digital insurance brokerage and risk management platform, over 75% of targeted cyberattacks start with an email. Therefore, protecting your email from spam emails using RBLs will reduce the chances of a cyberattack.

How does a remote block list work?

Most IP blocklists are based on spam trap email addresses, where if an email is sent to a spam trap address owned by the blocklist, they will list the IP responsible for the email sent. The more legitimate blocklists will use algorithms to monitor and measure email that flows through their systems, ranking the email messages' volume, frequency, and content and tracing the messages back to the source. Other blocklists will list an IP based on a single email as a spam trap. 

Some blocklists use manual reporting mechanisms where participants report suspected IP addresses to the blocklist. If enough people report the IP address, the blocklist may add it to their list of known or suspected sources of spam. Blocklists themselves do not block emails, but the email systems that reference the blocklists do the blocking.  

See also: HIPAA Compliant Email: The Definitive Guide

How many blocklists are there?

There are hundreds, if not thousands, of RBLs in the world. Some blocklists are maintained by large companies, and some are open-source projects run by volunteers.

Types of block lists

Blocklists come in various types, each tailored to address specific threats or nuisances. Here are the different types of blocklists commonly used:

• IP blocklists: These lists contain IP addresses known as sources of malicious activities, such as spamming, distributing malware, or launching cyber attacks. IP blocklists are frequently used in firewalls, email servers, and network intrusion detection systems to block or filter traffic from these addresses.
• Domain blocklists: Domain blocklists contain domain names or URLs associated with malicious websites, phishing scams, or other harmful content. They are utilized in web filters, email security solutions, and browser extensions to prevent users from accessing these sites or receiving emails containing links to them.
• URL blocklists: Similar to domain blocklists, URL blocklists focus specifically on individual web page addresses or URLs known to host malicious content, phishing forms, or scams. Web proxies, email filters, and antivirus software commonly employ them to block access to these URLs.
• Email blocklists: Email blocklists, also known as email blacklists or DNSBLs (Domain Name System Blacklists), contain email servers or domains identified as sources of spam or abusive email traffic. They are used by email servers and anti-spam filters to reject or mark emails originating from these sources as spam.
• Botnet blocklists: These blocklists target IP addresses or domains associated with botnets, networks of compromised computers controlled by malicious actors. Botnet blocklists help identify and mitigate botnet-related threats such as distributed denial-of-service (DDoS) attacks, spam campaigns, and credential theft.
• Phishing blocklists: Phishing blocklists focus on identifying and blocking websites, email addresses, or domains used in phishing attacks. 
• Malware blocklists: Malware blocklists contain indicators of compromise (IOCs) related to known malware strains, such as file hashes, URLs, or command-and-control (C&C) server addresses. They are used by antivirus software, intrusion detection systems, and security information and event management (SIEM) platforms to detect and block malware infections.
• Advertisement blocklists: These blocklists target domains or URLs associated with online advertisements, pop-ups, or tracking scripts. They are commonly used by ad-blocking browser extensions, content-filtering proxies and network-level ad blockers to enhance user privacy and security.

See also: What is an email filter?

Where can I get an RBL?

Block lists can be obtained from various sources, including:

• Commercial security providers: Many cybersecurity companies offer block lists as part of their services. These lists are often updated regularly and may include comprehensive coverage of various threats, such as spam, malware, phishing, and malicious IP addresses.
• Nonprofit organizations: Entities like Spamhaus and SURBL provide block lists free of charge to help combat spam and other email-related threats. 
• Open source projects: Some block lists are developed collaboratively within the open-source community. These projects may focus on specific threats or vulnerabilities and often rely on community participation for updates and maintenance.
• Internet service providers (ISPs): ISPs may maintain their block lists to protect their networks and customers from spam, malware, and other malicious activities. These lists are often integrated into the ISP's email filtering systems.
• Government agencies: Certain government agencies may publish block lists as part of their efforts to combat cyber threats. 
• Community contributions: Some block lists are compiled based on reports and contributions from internet users, security professionals, and other stakeholders. These lists rely on collective intelligence to identify and block malicious actors and content.
• Research institutions: Academic and research organizations may develop block lists as part of their cybersecurity research efforts. These lists may focus on emerging cyber attack threats, vulnerabilities, or trends.
• Industry groups: Associations and industry groups in sectors such as finance, healthcare, and technology may develop block lists tailored to the specific needs and challenges of their respective industries.
• Crowdsourced platforms: Platforms that allow users to report and share information about spam, phishing, and other cyber threats can be valuable sources of block lists. These platforms often rely on crowdsourcing to gather intelligence and identify malicious activity.

FAQ’s

How does an RBL work?

When an email is received, the recipient's email server checks the sender's IP address against one or more RBLs. If the IP address is found on the RBL, the email may be rejected, marked as spam, or subjected to additional scrutiny.

Who maintains RBLs?

RBLs are maintained by various organizations and companies specializing in email security. Some well-known RBL providers include Spamhaus, SURBL, and Barracuda Networks, among others.

Can I request removal from an RBL if my IP address is listed erroneously?

RBL providers have a process for submitting removal requests. This involves demonstrating that the issue leading to the listing has been resolved and complying with any specific requirements outlined by the provider.